Skip to main content

Cyware Orchestrate

LevelBlue Labs Open Threat Exchange (OTX) 2.0.0

App Vendor: LevelBlue Labs

App Category: Data Enrichment & Threat Intelligence

Connector Version: 2.0.1

API Version: v1

About App

LevelBlue Labs leverages the Open Threat Exchange (OTX), the world's largest open threat intelligence community, enabling collaborative defense through actionable, community-driven threat data and fostering knowledge exchange within the security community.

The LevelBlue Labs Open Threat Exchange app is configured with Orchestrate to perform the following actions:

Action Name

Description

Get Correlation Rule Details 

This action retrieves the details of a correlation rule.

Get CVE Details 

This action retrieves the details of a MITRE Common Vulnerability Enumeration (CVE) ID.

Get Domain Details 

This action retrieves the details of a domain name.

Get File Hash Details 

This action retrieves the details of a file hash.

Get Hostname Details 

This action retrieves the details of a hostname.

Get IPv4 Details 

This action retrieves the details of an IPv4 address.

Get IPv6 Details 

This action retrieves the details of an IPv6 address.

Get NID Details 

This action retrieves the details of a Network Identifier (NID).

Get URL Details 

This action retrieves the details of a URL.

Submit File for Analysis 

This action submits a file for analysis.

Submit URL for Analysis 

This action submits a URL for analysis.

Generic Action 

This is a generic action to make API requests to any LevelBlue OTX endpoint.

Configuration Parameters

The following configuration parameters are required for the LevelBlue Labs Open Threat Exchange app to communicate with the LevelBlue Labs Open Threat Exchange enterprise application. The parameters can be configured by creating instances in the app.

Parameter

Description

Field Type

Required/Optional

Comments

API Key 

Enter the API key to authenticate with LevelBlue Open Threat eExchange.

Password

Required

API Version 

Enter the API version. 

Example:

v1

Text

Optional

Default version: 

v1

Timeout 

Enter a timeout for the API requests between 15 and 120 seconds.

Example:

20

Integer

Optional

Default value:

15 seconds

Verify 

Choose a preference to verify the SSL/TLS certificate while authenticating API requests.

Example:

Yes

Boolean

Optional

Default value:

No

Action: Get Correlation Rule Details

This action retrieves the details of a correlation rule.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Correlation Rule ID 

Enter a correlation rule ID to get the details. 

Example: 

572f8c3c540c6f0161677877

Text

Required

Section 

Enter a section to get specific details of the correlation rule.

Example:

general

Text

Optional

Allowed value: 

general

Default value:

general

Example Request 

[
    {
        "corr_rule": "572f8c3c540c6f0161677877",
		"section": "general"
    }
]

Action Response Parameters 

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.base_indicator 

JSON Object

Returns the details of the correlation rule.

app_instance.response.cve 

String

CVE ID of the vulnerability.

app_instance.response.false_positive 

Array

A list of false positives.

app_instance.response.pulse_info 

JSON Object

Returns a list of pulses associated with the correlation rule.

app_instance.response.indicator 

String

The correlation rule ID.

app_instance.response.sections 

Array

List of sections available for the indicator.

app_instance.response.type_title 

String

Title of the type.

app_instance.status 

String

HTTP status code of the API request received from the app instance. For more information, see List of HTTP status codes.

Action: Get CVE Details

This action retrieves the details of a MITRE Common Vulnerability Enumeration (CVE) ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

CVE ID 

Enter a CVE ID to get the details. 

Example:

CVE-2014-0160

Text

Required

Section 

Enter a section to get specific details of the CVE ID. 

Example:

general

Text

Required

Allowed value: 

general

Example Request

[
    {
        "cve": "CVE-2014-0160",
		"section": "general"
    }
]

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.base_indicator 

JSON Object

Returns the details of the CVE ID, such as content, description, id, indicator, title, and others.

app_instance.response.configurations

Object

Configurations of the vulnerability.

app_instance.response.cve

String

CVE ID.

app_instance.response.cvss

Object

CVSS details of the CVE ID.

app_instance.response.cvssv2

Object

CVSSv2 details of the CVE ID.

app_instance.response.cvssv3

Object

CVSSv3 details of the CVE ID.

app_instance.response.cwe

String

CWE ID of the CVE.

app_instance.response.date_created

String

Date created

app_instance.response.date_modified

String

Date modified

app_instance.response.description

String

Description of the CVE ID.

app_instance.response.epss

Unknown

EPSS

app_instance.response.exploits

Array

List of exploits related to the CVE ID.

app_instance.response.false_positive

Array

True if the CVE ID is false positive

app_instance.response.indicator

String

Indicator value

app_instance.response.mitre_url

String

Mitre URL of the CVE ID.

app_instance.response.nvd_url

String

NVD URL of the CVE ID.

app_instance.response.products

Array

List of products associated with the CVE ID.

app_instance.response.pulse_info

Object

Returns a list of pulses associated with the CVE ID.

app_instance.response.references

Array

References list

app_instance.response.sections

Array

Sections list

app_instance.response.seen_wild

Boolean

True if seen wild

app_instance.response.type_title

String

Type title

Action: Get Domain Details

This action retrieves the details of a domain name.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Domain Name 

Enter a domain name to get the details. 

Example: 

example1.com

Text

Required

Section 

Enter a section to get specific details of the domain.

Example:

general

Text

Required

Allowed values: 

  • general

  • geo

  • malware

  • url_list

  • passive_dns

  • whois

Example Request

[
    {
        "domain_name": "example1.com",
		"section": "general"
    }
]

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.base_indicator 

JSON Object

Returns the details of the domain, such as content, description, id, indicator, title, type, and others.

app_instance.response.alexa

String

Alexa link

app_instance.response.base_indicator

Object

Base indicator

app_instance.response.false_positive

Array

If false positive

app_instance.response.indicator

String

Indicator value

app_instance.response.pulse_info

Object

Returns a list of pulses associated with the domain.

app_instance.response.sections

Array

Returns a list of sections available for the domain in the LevelBlue platform.

app_instance.response.type

String

Type

app_instance.response.type_title

String

Type title

app_instance.response.validation

Array

Returns details about the domain from various threat intelligence databases.

app_instance.response.whois

String

Returns the WHOIS link of the domain.

app_instance.response.url_list

Array

Returns a list of url analysis results from LevelBlue Labs.

app_instance.response.geo

Object

Returns the geographic data of the domain, such as country code, coordinates, and other details.

app_instance.response.malware

Object

Returns the malware samples analyzed by LevelBlue Labs and observed while connecting to this domain.

app_instance.response.passive_dns

Object

Returns the passive DNS information about hostnames and domains observed by LevelBlue Labs pointing to this domain.

app_instance.response.http_scans

Object

Returns the metadata for HTTP and HTTPS connections to the domain.

Action: Get File Hash Details

This action retrieves the details of a file hash.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

File Hash 

Enter a file hash to get the details. 

Example: 

5eb63bbbe01eeed093cb22bb8f5acdc3

Text

Required

Section 

Enter a section to get specific details of the file hash.

Example:

general

Text

Required

Allowed values: 

  • general

  • analysis

Example Request

[
    {
        "file_hash": "5eb63bbbe01eeed093cb22bb8f5acdc3",
		"section": "general"
    }
]

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.base_indicator 

JSON Object

Returns the details of the file hash, such as the ID, description, and other details.

app_instance.response.analysis

Object

Dynamic and static analysis of this file (Cuckoo analysis, exiftool, etc.)

app_instance.response.pulse_info

Object

Returns a list of pulses associated with the file hash.

app_instance.response.sections

Array

Returns a list of sections available for the file hash in the LevelBlue platform.

app_instance.response.validation

Object

Returns details about the file hash from various threat intelligence databases.

app_instance.response.malware

Object

List of malware detected.

Action: Get Hostname Details

This action retrieves the details of a hostname.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Host Name 

Enter a hostname to get the details. 

Example: 

mail.vspcord.com

Text

Required

Section 

Enter a section to get specific details of the hostname.

Example:

general

Text

Required

Allowed values: 

  • general

  • geo

  • malware

  • url_list

  • passive_dns

  • whois

  • http_scans

Example Request

[
    {
        "host_name": "mail.vspcord.com",
		"section": "general"
    }
]

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.base_indicator 

JSON Object

Returns the details of the hostname, such as the ID, description, and other details.

app_instance.response.pulse_info

JSON Object

Returns a list of pulses associated with the hostname.

app_instance.response.geo

JSON Object

A more verbose listing of geographic data (Country code, coordinates, etc.)

app_instance.response.malware

JSON Object

Malware samples analyzed by LevelBlue Labs which have been observed connecting to this hostname.

app_instance.response.url_list

Array

URLs analyzed by LevelBlue Labs on this hostname.

app_instance.response.passive_dns

JSON Object

Passive dns records observed by LevelBlue Labs pointing to this hostname.

app_instance.response.http_scans

Array

Metadata for http(s) connections to the hostname.

Action: Get IPv4 Details

This action retrieves the details of an IPv4 address.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

IPv4 Address 

Enter an IPv4 address to get the details. 

Example: 

192.168.1.1

Text

Required

Section 

Enter a section to get specific details of the IP address.

Example:

reputation

Text

Required

Allowed values: 

  • general

  • reputation

  • geo

  • malware

  • url_list

  • passive_dns

  • http_scans

Example Request

[
    {
        "ipv4_address": "1.1.1.1",
		"section": "reputation"
    }
]

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.base_indicator 

JSON Object

Returns the details of the IP address, such as the ID, description, access type, and other details.

app_instance.response.asn

String

The autonomous system name for the IP address. For example, "AS8948".

app_instance.response.type

String

The indicator type.

app_instance.response.pulse_info

JSON Object

Returns a list of pulses associated with the IP address.

app_instance.response.sections

Array

Returns a list of sections available for the IP address in the LevelBlue platform.

app_instance.response.validation

Array

Returns details about the IP address from various threat intelligence databases.

app_instance.response.whois

String

Returns the WHOIS link of the IP address.

app_instance.response.reputation

JSON Object

Returns the Open Threat Intelligence (OTX) data on malicious activity observed by LevelBlue Labs (IP Reputation).

app_instance.response.geo

JSON Object

Returns the geographic data of the IP address, such as country code, coordinates, and other details.

app_instance.response.malware

JSON Object

Returns the malware samples analyzed by LevelBlue Labs and observed while connecting to this IP address.

app_instance.response.url_list

Array

Returns the URLs analyzed by LevelBlue Labs that are associated with the IP address.

app_instance.response.passive_dns

JSON Object

Returns the passive DNS information about hostnames and domains observed by LevelBlue Labs pointing to this IP address.

app_instance.response.http_scans

Array

Returns the meta data for HTTP and HTTPS connections to the IP address.

app_instance.status 

String

HTTP status code of the API request received from the app instance. For more information, see List of HTTP status codes.

Action: Get IPv6 Details

This action retrieves the details of an IPv6 address.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

IPv6 Address 

Enter an IPv6 address to get the details. 

Example: 

2001:4860:4860::8888

Text

Required

Section 

Enter a section to get specific details of the IP address.

Example:

reputation

Text

Required

Allowed values:

  • general

  • reputation

  • geo

  • malware

  • url_list

  • passive_dns

  • http_scans

Example Request

[
    {
        "ipv6_address": "2001:4860:4860::8888",
		"section": "reputation"
    }
]

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.base_indicator 

JSON Object

Returns the details of the IP address, such as the ID, description, access type, and other details.

app_instance.response.asn 

String

The autonomous system name for the IP address. For example, "AS8948".

app_instance.response.type 

String

The indicator type.

app_instance.response.pulse_info 

JSON Object

Returns a list of pulses associated with the IP address.

app_instance.response.sections 

Array

Returns a list of sections available for the IP address in the LevelBlue platform.

app_instance.response.validation 

Array

Returns details about the IP address from various threat intelligence databases.

app_instance.response.whois 

String

Returns the WHOIS link of the IP address.

app_instance.response.reputation 

JSON Object

Returns the Open Threat Intelligence (OTX) data on malicious activity observed by LevelBlue Labs (IP Reputation).

app_instance.response.geo 

JSON Object

Returns the geographic data of the IP address, such as country code, coordinates, and other details.

app_instance.response.malware 

JSON Object

Returns the malware samples analyzed by LevelBlue Labs and observed while connecting to this IP address.

app_instance.response.url_list 

Array

Returns the URLs analyzed by LevelBlue Labs that are associated with the IP address.

app_instance.response.passive_dns 

JSON Object

Returns the passive DNS information about hostnames and domains observed by LevelBlue Labs pointing to this IP address.

app_instance.response.http_scans 

Array

Returns the meta data for HTTP and HTTPS connections to the IP address.

app_instance.status 

String

HTTP status code of the API request received from the app instance. For more information, see List of HTTP status codes.

Action: Get NID Details

This action retrieves the details of a network identifier (NID).

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

NID 

Enter an NID to get the details. 

Example: 

2030515

Text

Required

Section 

Enter a section to get specific details of the NID.

Example:

general

Text

Optional

Allowed value:

general

Default value:

general

Example Request 

[
    {
        "nid": "2030515",
		"section": "general"
    }
]

Action Response Parameters 

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.base_indicator 

JSON Object

Returns the details of the NID, such as the ID, description, and other details.

app_instance.response.category 

String

Category

app_instance.response.cve 

String

CVE ID

app_instance.response.event_activity 

String

Event activity

app_instance.response.false_positive 

Array

False positive

app_instance.response.indicator 

String

Indicator

app_instance.response.malware_name 

String

Malware name

app_instance.response.name 

String

Name

app_instance.response.pulse_info 

Object

Pulse info

app_instance.response.sections 

Array

Sections

app_instance.response.subcategory 

String

Subcategory

app_instance.response.type_title 

String

Type title

Action: Get URL Details

This action retrieves the details of a URL.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

URL 

Enter a URL to get the details. 

Example: 

http://www.example1.com

Text

Required

Section 

Enter a section to get specific details about the URL.

Example:

url_list

Text

Required

Allowed value:

  • general

  • url_list

Example Request

[
    {
        "url": "http://www.example1.com",
		"section": "general"
    }
]

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.base_indicator 

JSON Object

Returns the details of the URL, such as the ID, description, and other details.

app_instance.response.domain 

String

Returns the domain name associated with the URL.

app_instance.response.hostname 

String

Returns the hostname associated with the URL.

app_instance.response.pulse_info 

JSON Object

Returns a list of pulses associated with the URL.

app_instance.response.sections 

Array

Returns a list of sections available for the URL in the LevelBlue platform.

app_instance.response.validation 

JSON Object

Returns details about the URL from various threat intelligence databases.

app_instance.response.whois 

String

Returns the WHOIS link of the URL.

app_instance.response.url_list 

Array

Returns a list of URL analysis results from LevelBlue Labs.

Action: Submit File for Analysis

This action submits a file for analysis.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

File Path 

Enter the file path to upload a file to analyze. 

Example: 

/home/user1/report.txt

Text

Required

Example Request

[
    {
        "file_path": "/home/user1/report.txt"
    }
]
Action: Submit URL for Analysis

This action submits a URL for analysis.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

URL 

Enter a URL to analyze. 

Example: 

http://www.example1.com

Text

Required

Example Request

[
    {
        "submit_url": "http://www.example1.com"
    }
]

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.result 

JSON Object

Returns the analysis result.

app_instance.response.status 

String

Returns the analysis status.

Action: Generic Action

This is a generic action to make API requests to any LevelBlue OTX endpoint.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Method 

Enter the HTTP method to make the request. 

Example:

  • GET

  • POST

  • PUT

  • DELETE

Text

Required

Endpoint 

Enter the endpoint to make the request. 

Example:

/pulses/{pulse_id}

Text

Required

Query Params 

Enter the query parameters to pass with the API request.

Key Value

Optional

Payload 

Enter the payload to pass with the API request.

Any

Optional

Additional Data 

Enter the additional data to pass to the API request.

Key Value

Optional

Allowed keys:

  • payload_json

  • custom_output

  • download

  • filename

  • files

  • retry_wait

  • retry_count

  • response_type

Example Request

[
    {
        "method": "POST",
        "endpoint": "/pulses/{pulse_id}",
        "query_params": {},
        "payload": {},
        "extra_fields": {}
    }
]